As we enter a new year, where many of us are trying to break old habits, I consider why PCI compliance is one habit that should be maintained all year round.
In Verizon’s 2020 Payment Security report, some of the figures made for rather alarming reading. It found that in 2019, only 27.9% of organizations assessed for the report had maintained full Payment Card Industry Data Security Standard (PCI DSS) compliance during their interim compliance validation. This means that almost three quarters who were previously assessed as fully compliant, were not compliant at their interim validation.
This is the third consecutive year that PCI compliance rates have fallen, with fewer and fewer organizations demonstrating the ability to keep a minimum baseline of security controls in place. It’s also clear from the 140-page Verizon report that some vertical markets didn’t perform as well as others, including the retail, financial and hospitality sectors.
All in all, these results make for somber reading – but what causes a company’s compliance to slip, after the all-important first audit?
As I see it, a main factor is around expectations: a company’s board or management may fall into the trap of compliance being seen an annual affair that you gear-up to perform in when the auditor arrives. Perhaps organizations may be insufficiently prepared for the ongoing resources that are needed to maintain year-round compliance, or departments simply abandon tasks or lose track of recurring responsibilities that are needed, thinking others are managing these.
Tasks such as managing daily log reviews, monthly vulnerability assessments, quarterly vulnerability scanning and annual formal reviews and training all need to be allocated to ensure staff take ongoing ownership of these.
There are also tasks that need to be maintained in the background, which may be considered as inconvenient but are essential security controls, such as restricting access to systems or administrative privileges.
So, what can be done to address these causes to make PCI compliance become a habit for 2021?
The first thing is to manage expectations; organizations need to make sure they are actively communicating not only with board or senior managers but with all staff.
A whole-company approach is needed so everyone is aware of the important obligations. Involve teams in taking ownership of tasks alongside the compliance manager; it needs to be a shared role and factored into daily work tasks. Regular checks should also be in place to make sure business is not slipping back to ‘business as usual’ with no regard of the rules.
A pitfall as to why non-compliance occurs is that people are not sufficiently pessimistic or do not expect things to go wrong – however things don’t always go to plan as 2020 proved. Instead, expect and plan for things to go wrong – especially for less frequent tasks. For example, expect scanning licenses on tools to expire, or a member of the team to not update the inventory so you may not have a full record of current systems, or expect new vulnerabilities to arise at the worst time possible.
I would urge organizations to schedule task reminders well ahead of when they are due to give breathing room. Do not be blindsided by new employees joining and needing set-up, or don’t be surprised when PCI systems need to expand to handle new customers. Consider not only what is needed today, but also how the organization may change over time.
I also suggest that organizations make sure knowledge is not lost: a lot of processes tend to be owned by one or two people, and that knowledge may be ‘tribal’ so it isn’t necessarily written down with an explanation as to what to do or importantly why these tasks need to happen. Work one-to-one with those that hold that knowledge to capture this information for future reference.
They say it takes 28 days to adopt a new habit – what should you be doing now to build compliance in as a habit?
My key tip for planning year-round compliance is to plan for the worst: document, formulize and make accessible. It’s a succinct way of approaching year-round data security.
I would recommend scheduling regular short meetings with all staff to explain compliance and discuss their questions so it becomes a regular action in their working weeks. This two way conversation will also be an opportunity to understand where staff may be struggling to understand policies, or perhaps where they feel processes may be ‘getting in the way’ of their day-to-day tasks.
It is important to understand if they have concerns, which may impact year-round compliance so spend time going through policies to make sure operational processes are aligned.
I would also encourage organizations to proactively schedule time with auditors to get their views – to get the whole organization thinking about compliance as part of ‘business as usual’. A danger that some companies fall victim to is to consider auditors as an adversary or a gatekeeper that they must ‘hoodwink’. In fact, in all matters relating to PCI DSS and compliance, auditors are important stakeholders.
It is therefore worth having consultancy time with auditors to obtain their views relating to managing business expansion, on standards to compliance systems or on any concerns. The sooner and more closely that you involve the auditors that you must reassure, the more they can help you get your organization following the right path.